This week’s Thursday Thoughts is a bit of a mini SME Guide - Over the last couple of weeks I have been able to listen to some amazing speakers on a number of topics. What struck me was that there was so much help for SMEs but very little pointing the way to that help.
It started with the ASCC monthly breakfast at Cresta Court which featured an update from the SME team from the Information Commissioner's Office and Detective Superintendent Neil Jones from the North West Cyber Resilience Centre. This was followed by a super interesting talk from Una Cottrall at “Alex and his sisters” with the title 45 NOT OUT it was interesting to see that the majority in the room fell into that category and many had similar experiences to share. At the Colony breakfast there was some super information of the support available from Manchester Metropolitan University and I delivered one of my “what you need to know about data protection” sharing some relatable information on what SMEs really have to do and why it’s important to get it right. In my talk and the Master Class I delivered a fortnight before I shared links to lots of free support for SMEs. I decided that I’d use this month’s blog to put together all the resources I know about that are free or relevant. Of course there’s also the usual news and blogs too. Enjoy!
What does “Data Protection” really mean for SMEs
Organisations are expected to look after the personal data that they process. Individuals have the right to know:
what data the organisation has
when the organisation shares the data and who it is shared with
how the data is disposed of
Organisations have to DEMONSTRATE their compliance with the legislation.
What are the Key things the Regulations says and what does it mean for SMEs
Individuals have a right to know how their information is used when it is shared, with whom it is shared as well as how and when it will be disposed of or deleted.
You need to understand what personal data you hold and how you use it.
Your Privacy Notice must be clear and you must abide by it.
Individuals have the right to obtain copies of personal data that you hold about them. This is known as a subject access request.
Preparing a Subject Access Request response will mean you will have to check hard copy files as well as all emails and internal documents that have the individual’s data in it. You have to share this information with them.
Individuals have the right to be informed of any data breach,
You have to tell data subjects if you suffer a Data Breach where it will affect their rights and freedoms
Individuals have the right to ask that data you hold is erased or made more accurate
You have to make sure data is kept up to date or deleted.
Organisations must DEMONSTRATE that they are compliant.
You need to document and record your processes so that you can demonstrate your compliance
You can only use the data you have for the purpose you have set out.
You cannot sell it
You must inform individuals if you want to use their data for another purpose and get their agreement.
When you get information from a data broker you have to tell the individual you have it before you start processing it.
Where do Businesses most often fall foul of the Regulations
There are 4 ways that businesses commonly fall foul the most:
Not understanding “Purpose limitation” – for the avoidance of doubt you should only use data for the purpose you gathered it for
Approaching risk to the individuals from the business standpoint and not the data subject’s
Taking Subject Access Requests personally
Failing to act on data breaches or put appropriate security in place
According to the latest statistics
These are the most common risks to businesses
39% of businesses report they suffered a cyber-attack (same as 2021)
Phishing was the most common attack (83% of attacks)
The average cost of a cyber-attack to the business was £4,200
50% of businesses have an insurance policy that covers cyber attacks
Only 19% of businesses have a formal incident response plan
Most ICO fines so far have been for Electronic Communications infringements (marketing emails and nuisance calls) and not GDPR infringements.
Most common audit findings
Many companies require setting specific training for staff
Businesses often fail to carry out an impact assessment for the introduction of new IT systems with disastrous consequences
Businesses do not understand “Legitimate interests” and the need to balance their needs with the data subjects
Policies and Procedures and data sharing agreements are live document and should be reviewed and updated regularly
You should have logs for data breaches and subject access
Staff collecting data should make a “data protection statement” of some sort.
Free Support for SMEs
Did you know that the ICO has a SME Hub?
The ICO SME hub is chock full of advice and guidance for all small organisations of all types including businesses, charities, groups and clubs. It includes free draft privacy notices and top tips such as there’s no need for your privacy notice to be long and complicated. In fact, it’s better if it’s short and simple. There is also relatable information on risk and how to mitigate against it . You will find it here: https://ico.org.uk/for-organisations/sme-web-hub/
North West Cyber Resilience Centre Free support
The North West Cyber Resilience Centre are part of a National group of Cyber Resilience Centres. They have been set up to help protect small businesses from online crime. They are a not-for profit, police led partnership, providing affordable, professional cyber security services to small businesses. Funded from the proceeds of crime act. Take a look at the tools and services they offer which can be tailored to your organisation and sector. Their entry level membership is free and is aimed at micro and small businesses that are ready to take the next steps in their cyber security journey. Here is the link to their site: https://www.nwcrc.co.uk/membership.
Advice for Schools
Schools are often overlooked in terms of cyber security and so the NCSC have developed a cyber security training package for school staff. https://www.ncsc.gov.uk/blog-post/cyber-security-for-schools
Data Protection News
Did you know some websites track information before you submit it
Most of us would expect websites to wait for the user to submit data before they start tracking them. However this article discusses how some of the top websites in the world track user information including email and passwords while the visitor is still typing (perhaps because of embedded marketing tools). You can read more here: https://www.wired.com/story/leaky-forms-keyloggers-meta-tiktok-pixel-study /
Facebook doesn’t know what data it has
Leaked reports from engineers at Facebook liken their data management system to “a bottle of ink being poured into a lake of water”. These reports claim that the company cannot keep track of user’s personal data and isn’t ready for the regulations it now faces on how to handle it. Interesting that the Irish Data Protection Commissioner has just fined Meta €17 million for failure to implement appropriate technical and organisational measures to ensure and demonstrate that personal data is processed in compliance with the GDPR. You can read more about the leaked reports here: https://nypost.com/2022/04/27/facebook-open-borders-leads-to-massive-data-leaks-report/
Good news headlines from the CYBERUK22 conference
The mantra if it’s suspicious report it seems to be catching on.
2.7 million scams taken down from the internet in 2021.
The most common scams were fake celebrity endorsements and vaccine passports
Over 1.2m domains linked with the Android malware #FluBot have been blocked
33m events were flagged to organisations subscribed to the Early Warning service
10k global users have used the NCSC Exercise in a Box toolkit
You can read more here: https://www.ncsc.gov.uk/news/ncsc-significantly-expands-services-to-protect-uk-from-record-number-of-online-scams
UK data protection is likely to change
For those wanting to keep up to date with the UK’s new National Data and Artificial Intelligence Strategies particularly in relation to the EU/UK “Adequacy Agreement”, International Data Transfers and any reform of the UK General Data Protection Regulation (GDPR) you will find helpful links on the Privacy Solved website: https://www.privacysolved.com/tracking-the-changes-to-uk-data-data-protection-gdpr-and-ai/.
Why should I use MFA.
I know I bang on about this a lot but it’s the thing I get asked most often. The answer is simple if you don’t then your data is at risk. Just think if your Gmail account were to be hacked and you haven’t yet told Google to stop tracking you. All of a sudden the hacker knows everything about you and that doesn’t just include your browsing and location history it also includes calendars, contacts, shopping, photos, fitness as well as google meet recordings and passwords stored in chrome and hang out information. Things to do this weekend turn on MFA, use a long unique password, and STOP Google from tracking you.
Youtube “demonetise” a family YouTube channel at the request of the daughter
Parents who wouldn’t stop filming their daughter’s life even though she asked them to and they refused to take the videos down because they generate advertising revenue. The teen called out the channel on her own Instagram and TikTok ac and asking her followers to report it. YouTube’s child safety policy includes a note that “cyberbullying and harassment involving minors” is not allowed. This includes recording someone “without their consent”. TikTok therefore “demonetised” the channel.
Ticketmaster pays it’s £1.25 million fine
Ticketmaster dropped its appeal against the ICO’s £1.25 million GDPR fine and paid it in full.
Video of the week
Beech Web Services Limited - WordPress Insights with Sophy
Beech web services have some great how to videos. This one by Sophy about why search engine ranking matters and how to implement SEO on your WordPress website. It’s got helpful tips on the Yoast plugin and how it can be harnessed to “optimise your content . You can see the video out here- https://www.youtube.com/watch?v=K-azCn6Jc40